GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-15 12:36:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000062 TOSHIBA_ rev.GH10 298,09GB Running: wljx71qt.exe; Driver: C:\Users\Ola\AppData\Local\Temp\fxlcapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076861401 2 bytes JMP 76e5b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076861419 2 bytes JMP 76e5b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076861431 2 bytes JMP 76ed90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007686144a 2 bytes CALL 76e348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768614dd 2 bytes JMP 76ed89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768614f5 2 bytes JMP 76ed8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007686150d 2 bytes JMP 76ed88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076861525 2 bytes JMP 76ed8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007686153d 2 bytes JMP 76e4fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076861555 2 bytes JMP 76e56937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007686156d 2 bytes JMP 76ed91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076861585 2 bytes JMP 76ed8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007686159d 2 bytes JMP 76ed88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768615b5 2 bytes JMP 76e4fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768615cd 2 bytes JMP 76e5b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768616b2 2 bytes JMP 76ed906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768616bd 2 bytes JMP 76ed8839 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4564] entry point in ".rdata" section 000000006e7571e6 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4704] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e38791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef83d741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef83d5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef83d5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef83d5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef83d7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef83d6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef83d6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef83d7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef83d7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef83d78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef83d4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef83d5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2432] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef83d7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}\Connection@Name isatap.{2D847B46-9824-4AF3-A3F7-7BEF26F6DB48} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{02374395-9895-442C-9DBF-EE2D757BF2FB}?\Device\{1B797B46-22CD-48CA-A9DF-7DC89372F8A5}?\Device\{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}?\Device\{987551F6-14D1-4124-85C8-D9E7CFA36658}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{02374395-9895-442C-9DBF-EE2D757BF2FB}"?"{1B797B46-22CD-48CA-A9DF-7DC89372F8A5}"?"{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}"?"{987551F6-14D1-4124-85C8-D9E7CFA36658}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{02374395-9895-442C-9DBF-EE2D757BF2FB}?\Device\TCPIP6TUNNEL_{1B797B46-22CD-48CA-A9DF-7DC89372F8A5}?\Device\TCPIP6TUNNEL_{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}?\Device\TCPIP6TUNNEL_{987551F6-14D1-4124-85C8-D9E7CFA36658}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}@InterfaceName isatap.{2D847B46-9824-4AF3-A3F7-7BEF26F6DB48} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F7CBDE3C-14FD-469A-8AA4-A39200BB67EA}@ReusableType 0 ---- EOF - GMER 2.2 ----